Reminder: Check the Security improvements tag

greggles's picture

Hello security minded folks!

There is a tag in use in the issue queue called "Security improvements" this is often used for areas where there is some sort of a bug or feature that isn't quite worth handling in private by the security team, but where action is needed to harden Drupal's security.

One example: Make default htaccess rules protocol sensitive to avoid man-in-the-middle-attacks if users don't fully customize the rule. The uncommented configuration in .htaccess, if used directly on a site secured with SSL, could allow a malicious attacker to perform a man-in-the-middle attack and sniff the user's session. BMDan reported this to the security team, but it was made public because: the configuration is commented out by default and users are encouraged to modify it to fit their needs AND it requires a compromised network. Those factors mean that a site admin would have to uncomment this and not think about the security implications (which is plausible, but not super likely) AND that some part of their network infrastructure would already have to be compromised (again, plausible, but not super likely).

However, just because it's unlikely doesn't mean it shouldn't be fixed. There are tons more examples like this where we can make it harder for site-owners to introduce security mistakes into their sites and they are all in the Security improvements tag. So, please pick an issue or two as you can from this tag and let's fix them!

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week